xloader_apk | 7d4d00a1ed508db997d98bc9bda0e9ed4e5115f5898b93f71ced5a1a92e44b6d

General

Target

dAdYrNg.apk
Size

218KB
MD5

cce6059446540919706260279c204608
SHA1

8aa0055a0d8c782204dbaccfc99545d2eb89d67d
SHA256

7d4d00a1ed508db997d98bc9bda0e9ed4e5115f5898b93f71ced5a1a92e44b6d
SHA512

b31dc057d12d5df5849f24ac00483529477b0e7beda1e43ff066798e42e7a33b28b5aed30073d184cbbdc9b6c839ca1de8000d49f4a7c9edf1c0a55eafde2e7d

Score

10^/10

xloader_apk banker infostealer obfuscation ransomware stealth trojan

Malware Config

Extracted

DES_key

Signatures

XLoader, MoqHao
An Android banker and info stealer.
trojan infostealer banker xloader_apk
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

yljl.ezlfo.eahln

pid process

4232 yljl.ezlfo.eahln
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.

Processes:

yljl.ezlfo.eahln

ioc pid process

/data/user/0/yljl.ezlfo.eahln/files/dex 4232 yljl.ezlfo.eahln
/data/user/0/yljl.ezlfo.eahln/files/dex 4232 yljl.ezlfo.eahln
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.

Processes:

yljl.ezlfo.eahln

description ioc process

Framework API call android.telephony.TelephonyManager.getNetworkOperatorName yljl.ezlfo.eahln
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

yljl.ezlfo.eahln

description ioc process

Framework API call javax.crypto.Cipher.doFinal yljl.ezlfo.eahln
Suspicious use of android.app.ApplicationPackageManager.getInstalledPackages 2 IoCs

Processes:

yljl.ezlfo.eahln

pid process

4232 yljl.ezlfo.eahln
4232 yljl.ezlfo.eahln

ioc	pid	process
/data/user/0/yljl.ezlfo.eahln/files/dex	4232	yljl.ezlfo.eahln
/data/user/0/yljl.ezlfo.eahln/files/dex	4232	yljl.ezlfo.eahln

description	ioc	process
Framework API call	android.telephony.TelephonyManager.getNetworkOperatorName	yljl.ezlfo.eahln

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	yljl.ezlfo.eahln

Suspicious use of android.net.wifi.WifiInfo.getMacAddress 56 IoCs

Processes:

yljl.ezlfo.eahln

pid	process
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln

Suspicious use of android.os.PowerManager$WakeLock.acquire 1 IoCs

Processes:

yljl.ezlfo.eahln

pid process

4232 yljl.ezlfo.eahln

Suspicious use of android.telephony.TelephonyManager.getLine1Number 58 IoCs

Processes:

yljl.ezlfo.eahln

pid	process
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln
4232	yljl.ezlfo.eahln

Uses reflection 62 IoCs

obfuscation

Processes:

yljl.ezlfo.eahln

description	pid	process
Invokes method com.Loader.create	4232	yljl.ezlfo.eahln
Invokes method android.content.ContextWrapper.getPackageManager	4232	yljl.ezlfo.eahln
Invokes method android.app.ApplicationPackageManager.setComponentEnabledSetting	4232	yljl.ezlfo.eahln
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	4232	yljl.ezlfo.eahln
Invokes method com.Loader.start	4232	yljl.ezlfo.eahln
Invokes method android.telephony.SignalStrength.getLevel	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4232	yljl.ezlfo.eahln

yljl.ezlfo.eahln
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads name of network operator
- Uses Crypto APIs (Might try to encrypt user data).
- Suspicious use of android.app.ApplicationPackageManager.getInstalledPackages
- Suspicious use of android.net.wifi.WifiInfo.getMacAddress
- Suspicious use of android.os.PowerManager$WakeLock.acquire
- Suspicious use of android.telephony.TelephonyManager.getLine1Number
- Uses reflection
PID:4232

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads